MDVSA-2010:042

Descrição do problema

Security issues were identified and fixed in firefox 3.0.x and 3.5.x:

Mozilla developers identified and fixed several stability bugs in the
browser engine used in Firefox and other Mozilla-based products. Some
of these crashes showed evidence of memory corruption under certain
circumstances and we presume that with enough effort at least some
of these could be exploited to run arbitrary code (CVE-2010-0159).

Security researcher Orlando Barrera II reported via TippingPoint's Zero
Day Initiative that Mozilla's implementation of Web Workers contained
an error in its handling of array data types when processing posted
messages. This error could be used by an attacker to corrupt heap
memory and crash the browser, potentially running arbitrary code on
a victim's computer (CVE-2010-0160).

Security researcher Alin Rad Pop of Secunia Research reported that
the HTML parser incorrectly freed used memory when insufficient space
was available to process remaining input. Under such circumstances,
memory occupied by in-use objects was freed and could later be filled
with attacker-controlled text. These conditions could result in the
execution or arbitrary code if methods on the freed objects were
subsequently called (CVE-2009-1571).

Security researcher Hidetake Jo of Microsoft Vulnerability Research
reported that the properties set on an object passed to showModalDialog
were readable by the document contained in the dialog, even when
the document was from a different domain. This is a violation of the
same-origin policy and could result in a website running untrusted
JavaScript if it assumed the dialogArguments could not be initialized
by another site. An anonymous security researcher, via TippingPoint's
Zero Day Initiative, also independently reported this issue to Mozilla
(CVE-2009-3988).

Mozilla security researcher Georgi Guninski reported that when a SVG
document which is served with Content-Type: application/octet-stream
is embedded into another document via an tag with
type=image/svg+xml, the Content-Type is ignored and the SVG document
is processed normally. A website which allows arbitrary binary data to
be uploaded but which relies on Content-Type: application/octet-stream
to prevent script execution could have such protection bypassed. An
attacker could upload a SVG document containing JavaScript as a binary
file to a website, embed the SVG document into a malicous page on
another site, and gain access to the script environment from the
SVG-serving site, bypassing the same-origin policy (CVE-2010-0162).

The CSSLoaderImpl::DoSheetComplete function in
layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18,
3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2;
and SeaMonkey before 2.0.3 changes the case of certain strings in
a stylesheet before adding this stylesheet to the XUL cache, which
might allow remote attackers to modify the browser's font and other
CSS attributes, and potentially disrupt rendering of a web page,
by forcing the browser to perform this erroneous stylesheet caching
(CVE-2010-0169).

Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x
before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3
allow remote attackers to perform cross-origin keystroke capture,
and possibly conduct cross-site scripting (XSS) attacks, by using
the addEventListener and setTimeout functions in conjunction with
a wrapped object. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2007-3736 (CVE-2010-0171).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

Additionally, some packages which require so, have been rebuilt and
are being provided as updates.